iOS Trojan, BadUSB PoC, and Gamer Hackers Charged

Normally, I post a weekly video that summarizes the three biggest information and network security stories every Friday. However, due to a busy travel and work schedule I couldn’t find a convenient time to shoot. But fear not… Instead, I’ll post a written summary this week, and continue with the video posts next week. Read on for the latest security news:

1. “First” iOS Trojan released in the wild – A mobile security company, Lacoon, claims they have found the “first” iOS trojan being used in the wild. They call the malware Xsser mRAT, and it’s related to a similar Android trojan called Xsser. If it infects your mobile device, it’s capable of stealing all kinds of information including texts, emails, passwords, and so forth. Allegedly, the malware comes from Chinese government actors targeting the Occupy Central protesters in Hong Kong. However, the trojan can only infect jailbroken iPhones.
2. BadUSB malware exploit is now available to the public – In previous videos, I told you about the extremely dangerous new threat against USB devices. At Black Hat this year, Karsten Nohl of SRlabs showed how you could exploit flaws in USB controller firmware to create malicious USB devices that are almost impossible to detect. Thankfully, Nohl did not release Proof-0f-Concept (PoC) code for the attack, since USB manufacturers did not yet have a solution to the problem. However, this week some of his co-researchers decided to release PoC on Github during DerbyCON; apparently in hopes of pressuring USB vendors into figuring out a fix. Personally, I think this was a major mistake. While I think “full disclosure” is a good thing, I believe it should be done responsibly, after giving vendors time to protect their customers. While historically researchers have used early disclosure as a way to pressure companies to do the right thing, this is an industry-wide, standards-level vulnerability with no easy solution. All these researchers have done is make it easier for the bad guys to start exploiting this issue (IMHO).
3. Four hacker’s charged with stealing millions in IP from Microsoft, Epic, Valve, and the military – This week, legal documents came out detailing the charges against four hackers who stole data and games from many gaming companies, and even the military. The alleged hackers are from the US, Canada, and Australia. According to documents, this group used mostly SQL injection (SQLi) techniques to steal a ton of data. They stole Xbox ONE and Xbox Live information, games like Gears of War 3, and they even stole a military Apache simulator. This case is related to the SuperDAE hacker I mentioned in a video months ago.

Thanks for following our weekly summary, and be sure to join us next week when I resume the video. Also, don’t forget to check out references to many other interesting security stories below.

Extras Story References:

• Shellshock still not completely patched on Monday – RedWriteWeb
• People still don’t read EULAs (give up your eldest for free WiFi) – The Guardian
• Jimmy John’s one of among many new PoS Malware victims – The Register
• Latest iOS bypass hack is a hoax – IBTimes
• Latest CryptoWall variant is now signed and spreading via malvertising – Network World
• FDA hosts workshop to improve medical device security – Information Week
• Europol release Internet Organised Crime Threat Assessment (IOCTA) report – Europol
• Latest study says most attacks originate in US (IPs at least) – Gizmodo
• Ex-employees say Home Depot was slow to respond to security alarms – NYTimes
• TOOL: Nethunter. Kali for Android Nexus – Nethunter
• Researcher releases Metasploit exploit for popular phone scammer software – The Register
• Satellite company engineer learns the NSA and GCHQ have been watching him – The Verge
• Lizardsquad claim credit for Destiny DDoS outage again – Kotaku
• Apple released their OS X Bash update – The Next Web
• Kevin Mitnick is going to sell zero day – Wired
• LulzSec’s Sabu got his group to attack other countries, allegedly for the FBI – Computer World
• Xen Project reports major virtualization platform vulnerability – Xen Project
• Xen flaw could affect Amazon web services platform – Ars Technica
• How hackers are exploiting Shellshock – Bloomberg
• EFF says Cop’s free ComputerCOP security software is actually spyware – ReadWrite
• Shellshock used to target QNAP NAS devices – Tech World
• Fake Craiglist job offers lead to malware – CBR Online
• Meet NSA’s hacker recruiter – NBC News
• JPMorgan admits 80M account holders information stolen – CNN
• DARPA says the Internet will never be threat free (agreed) – v3.co.uk
• SoCal Albertsons breached again – KTLA
• FBI opens malware investigation portal – FBI.gov
• Medical records worth more to attackers than credit cards – Slashdot
• Mac flaw used to create 170K zombie strong botnet – BGR
• Are JPMorgan’s hackers hiding? – Bloomberg

— Corey Nachreiner, CISSP (@SecAdept)

You Can Learn More About the WatchGuards’ Product Line By Going to www.FirewallShop.com/WatchGuard.

The original article/video can be found at WatchGuard Security Week in Review in Writing (Oct.3, 2014)